Utilities Race to Protect Electric Grid Before ‘Disaster Strikes’

Kenneth DeFontes, president and CEO of Baltimore Gas & Electric Co., warned lawmakers that cyber threats to the electric grid are fast evolving and demand “constant vigilance and close collaboration” among industry and government officials “ before a disaster strikes.”

At a Congressional hearing on cybersecurity Thursday, DeFontes said he was working closely with a team of government officials and other utilities, part of the National Infrastructure Advisory Council, to figure out how to prepare for a possible outage due to a cyber attack. He said the teams were assessing various strategies, from sharing information and communicating with the public to protecting assets.

Utilities have two networks—a production network and a corporate network. The production systems are supposed to be kept off line – an industry practice known as creating an ‘air gap’ – so they aren’t vulnerable to viruses distributed via the Internet. But experts and industry officials like DeFontes say the risk of cyber attack is nonetheless a great concern. They say these air gaps can be hopped if the two systems use common computer peripherals, such as printers or USB sticks, or if the production networks use public networks to send alerts. And while utilities follow industry standards regarding security, even industry officials admit these standards are not sufficient safeguards against the most significant threats.

“Cyber threats are constantly evolving in real time. They require quick action and flexibility that can come only from constant vigilance and close collaboration with the government and emergency response protocols that are planned and practiced before a disaster strikes,” DeFontes said during the hearing. He appeared on behalf of BG&E’s parent company Exelon Corp., and two electric industry trade groups. Exelon is one of the largest electric and natural gas utility companies in the U.S., and also the largest owner and operator of nuclear plants in the nation. In September, 70 electric company CEOs got a classified briefing at the North American Aerospace Defense Command in Colorado Springs. In January a group met to discuss how they would respond to a damaging cyber attack.

“Will we see a successful attack on the grid in the U.S? You can’t say what the probability is. All you can ask is whether it is physically possible. And the answer is yes. It could physically happen,” says Richard A. Clarke, counter-terrorism czar in the Clinton and Bush administrations.

In theory, power companies are supposed to keep their corporate networks separate from their industrial control systems, including one type of control system called Supervisory Control and Data Acquisition networks. That should prevent viruses attacking corporate networks via the Internet from attacking the SCADA systems.

“It turns out,” Clarke said, “that it is very easy to get into the SCADA networks.”

That’s because SCADA networks—which are used to control a range of industrial systems—are built to last for years, if not decades. They are designed to keep the grid operating near 100% of the time—not for security, which is sometimes viewed as an obstacle to performance. And when these networks were built, today’s security issues weren’t understood. They certainly weren’t designed to withstand the relentless form of cyber attack known as Advanced Persistent Threat, which can overwhelm a cyber defense system by the sheer volume and duration of assaults.

“The reason it is called advanced persistent threat is because they just keep going until some way or another, they get in,” Clarke says. “Firewalls are pretty vulnerable. In order to really defend a network, you can never make a mistake. And everybody makes a mistake from time to time … And once they are in, they are hard to get out.”

The isolation of SCADA networks isn’t as complete as one might suppose.

“Even though I have separate networks, there are potential connections, and there need to be,” says William Stewart, a former Army signal officer and now senior vice president at consultant Booz Allen Hamilton Inc., where he heads Booz’s Cyber Technologies Center of Excellence.

Malicious software that gets into production systems can destroy physical equipment, such as pumps and turbines, by targeting a known vulnerability in some rotating equipment, called Aurora. Utilities have known about the vulnerability since 2007, but only in the last year or two have utilities started to make some progress on this issue, experts say.

Experts described some of the potential bridges between the production networks and the corporate networks:

Maintenance. Elements of the control infrastructure sometimes need to be updated, which can create a scenario in which workers bring in code and connect potentially compromised computers.

Lax internal security behind the firewall. Some networks have strong firewalls that protect their perimeter—but insufficient internal boundaries. In those cases, hackers who manage to penetrate a firewall can move around inside of an organization with relative impunity.

Shared network gear and peripherals. It is possible for production and corporate networks to share network routers. They also might share peripherals like faxes, scanners and printers, which can be connected to the Internet, creating a potential entry point for hackers.

Movement of laptops and other devices. People can move laptops, thumb drives and other devices and storage media from the corporate network to the control network. This may be forbidden by policy, but it may happen in practice. It is possible to build in protections so that computers assigned to a corporate network can’t work on a production network, but such defenses aren’t always put in place.

Vulnerable supply chains. The hardware and software that companies use to build the control networks may not be safe, especially given the fact that economic pressures drive utilities to find the lowest cost provider.

SCADA connections to the Internet. Some SCADA networks are connected directly to the Internet. It’s possible to find them using a specialized search engine called Shodan. Researchers have found thousands of industrial control systems that can be accessed from the Internet, according to a report from the Department of Homeland Security. DHS has set out to notify utilities when their systems are discovered online.

Alerts. If control systems send out status alerts to workers using devices that are connected to the Internet, those alerts can be used by hackers to gain access to a SCADA system.

Insufficient industry standards. Cybersecurity standards established by the North American Electric Reliability Corporation – the body that oversees the U.S. electric grid – cover only the basics, not viruses like Stuxnet or the Aurora vulnerability.

BG&E parent company Exelon says that security is of the “utmost importance” but declined to specify measures it has taken to secure its network. In addition to electric industry standards, the company adheres to cybersecurity standards of the Nuclear Regulatory Commission. “We regularly work with relevant organizations and outside agencies to ensure that any security matters related to Exelon or the utility industry are addressed in our operations. This includes a robust array of security measures that are designed to protect our computer-based systems and other assets from cyber threats,” said a spokesperson.

But given widespread cyber vulnerabilities throughout the grid, “there is no question they (control networks) are penetrated,” Mr. Stewart says. The real question is whether dormant viruses deposited by hackers will be used to disrupt the operation of the grid. “It depends on the circumstances. They generally find (malware from) Advanced Persistent Threat is not active. It is there for the future.”

Comments (4 of 4)

So with all this information, I still don't know if we will ever be protected from this catastriphe

7:42 am February 20, 2013

GrahamH wrote:

Eliminate all ethernet comms and replace it with direct serial.

8:43 pm February 19, 2013

DaveK wrote:

“The reason it is called advanced persistent threat is because they just keep going until some way or another, they get in [...]”

No it isn't. They are called APTs because, *once* they have got in, they stay around for a long time after the initial attack.

2:36 pm February 19, 2013

Dave wrote:

"At a Congressional hearing on cybersecurity Thursday, DeFontes said he was working closely with a team of government officials and other utilities, part of the National Infrastructure Advisory Council..."

The factors that render the electrical grid vulnerable to cyber attack are strikingly similar to the cyber risk issues faced by health care, financial services, and other industries. But one recent malware campaign targeting utilities shows just how exposed the grid remains to cyber threats.